Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13575

Unhelpful log message when OIDC public client wants to use HMAC id token signing



    • Rank:
    • AM Sustaining Sprint 83, AM Sustaining Sprint 84
    • 3
    • No
    • Yes
    • Yes and I used the same an in the description


      Bug description

      OAuth2/OIDC public clients are not allowed to use the HMAC based signing algorithms (HS256, HS384 or HS512) as these are derived from the client secret, which a public client does not have. If you configure a Public client to use HS256 for id token signing then a 500 Internal Server Error is returned and a stack trace is logged with root cause

      Caused by: org.forgerock.secrets.NoSuchSecretException: No secret configured for purpose oauth2.oidc.idtoken.signing

      This is likely to be confusing as it doesn't say why no secret is available.

      How to reproduce the issue

      1. Configure OpenID Connect in a realm
      2. Create an OAuth 2 client and set it as Core > Client type = Public, and set the Signing and Encryption > ID Token Signing Algorithm to HS256.
      3. Attempt to get an OIDC ID token using that client.
      Expected behaviour

      Either a validation error when trying to configure a public client with a symmetric signing algorithm or at least a sensible error message in the logs when this happens (e.g., "Cannot use HS256 signing algorithm with Public client").

      Current behaviour

      A 500 Internal Server Error together with a stack trace in the logs for NoSuchSecretException.

      Work around

      Do not configure HMAC signing algorithms for Public clients as that is not allowed by the spec anyway. (The same probably happens if you try to configure symmetric encryption).

      Code analysis

      In the following code we just return an empty secret store if the client is confidential. At this point we know that a symmetric algorithm (for either signing or encryption) has been configured incorrectly, so we can fail immediately with an IllegalStateException or similar. Ideally we would also add validation to the client settings to prevent a client being saved with these algorithms selected if the client type is Public.

      // Only confidential clients can use a client secret for encryption/signing
      if (isConfidential()) {
          return new ClientSecretKeyStore(use, keySizeBits, algorithm, getClientSecret());
      } else {
          return EmptySecretStore.INSTANCE; // *** change to throw new IllegalStateException("Algorithm " + algorithm + " cannot be used by non-confidential clients");


        Issue Links



              lawrence.yarham Lawrence Yarham
              neil.madden Neil Madden
              0 Vote for this issue
              5 Start watching this issue